The coast is clear now, but for a while there, Google’s two-step verification system wasn’t keeping you as safe as you thought. In fact, it was providing an avenue for folks to get in. App-specific passwords were propping your door open.
The exploit was found — and reported — by Duo Security, which is publishing its data now that Google has fixed things up. If you’ve enabled two-step (which you should), you know that using applications like Twitter or Facebook or Instagram often involves an app-specific password. Apps that don’t just pass you to a Google login page and have you enter a phone-code will tell you to go get an app-specific password manually from your account page, and put that in.
The logic behind having app-specific passwords is that you can disable access from certain apps — like all the apps on a stolen phone — without disturbing the rest. And that’s great. The problem was, those manual app-specific passwords you put in weren’t actually app-specific. Anyone could re-use any of those passwords to link a Google device (Android phone, Chromebook) to a Google account. From there, hackers could login to services with the device, strolling right on in to account settings without ever knowing the real password.
As explained by Duo Security’s cleverly edited Google ad:
That’s not a good situation, but fortunately it’s been fixed. Ever since Feb 21st, anyone trying to get to account settings needs the real password. Convenience be damned. And even though this was a bit of a breach, it’s worth noting that two-step wasn’t making anything worse; in the absence of two-step, a thief with your app-specific password would just have had your real password instead. And they wouldn’t have to know about the connect-a-device exploit to use it. Way worse.
You’re safe for now, but it serves as a good reminder to keep up with those security best-practices. Clean out your app-specific passwords now and then, change your password occasionally, and beware auto-login features that make your life easier because chances are they’re making it more insecure. Nothing’s full-proof, but just try to stay safe out there. [Duo Security]